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RANDOM NUMBER INSTEAD OF RANDOM PRIME 



TECHNICAL FEUD 



The present invention relates to a method for providing cryptographic keys which are usable 
in a network of connected computer nodes applying a signature scheme. Further, the present 
invention relates to a method for providing a signature value on a message in a network of 
connected computer nodes. Moreover, the present invention also relates to a method for 
verifying a signature value on a message in a network of connected computer nodes. 



BACKGROUND OF THE INVENTION 

Many cryptographic schemes require the generation of a (random) prime each time it is used. 
10 Examples are signature schemes, group signature schemes, or credential systems, such as the 
so-called Cramer-Shoup signature scheme by R. Cramer and V. Shoup "Signature schemes 
based on the strong RSA assumption." In Proc. 6th ACM Conference on Computer and 
Communications Security, pages 46-52. ACM press, Nov. 1999, or the credential system by J. 
Camenisch and A. Lysyanskaya in their article "Efficient nontransferable anonymous 

15 multi-show credential system with optional anonymity revocation." In B. Pfitzmann, editor, 
Advances in Cryptology - EUROCRYPT 2001, volume 2045 of LNCS, pages 93-118, 
Springer Verlag, 2001. The security of all these schemes is based on the so-called strong RSA 
assumption. More precisely, their security proofs require that each signatures or credentials is 
computed using a unique prime, i.e., the computation of each signature or credential involves 

20 computing an e-th root where e is said unique prime. The e is also referred to as unique 
exponent in the following. 

Unfortunately, the generation of primes is computationally expensive, especially if they need 
to be large. Because of this, the generation of signatures or credentials in the above mentioned 
schemes becomes computationally involved. 



25 



For the generation of primes one could in principle each time choose any integer as unique 
exponent, as long as it possesses a prime factor that does not appear in any unique exponent 
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that was used before. This would require to store all exponents used so far and test the newly 
chosen exponent against these numbers; which, however, is very inefficient. 

From the above it follows that there is still a need in the art that the generation of a signature 
IS simplified for these schemes. Usually, a new prime is necessary each time a signature is 
generated, this is rather inefficient. Therefore, it is an object to provide cryptographic keys and 
signature values more efficiently. Each signature value should be verifiable. 
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GLOSSARY 

The following are informal definitions to aid in the understanding of the description. 

Credential; m the present context is understood under the term credential, a subset of access 
permissions (developed with the use of media-independent data) attesting to, or establishing 
the tdenttty of an entity, such as a birth certificate, driver's license, mother's maiden name' 
S oc ia i security number, fingerprint, voice print, or other biometric parameter( S ). Moreover the 
credential comprises information, passed from one entity to another, used to establish the 
sending entity's access rights. The term certificate is understood as a particular credential 
stating that a certain public key belongs to a certain entity or user. 

Signature: A digital signature consists of one or more values that relate a message to a public 
key. A signature can only be produced using the secret key corresponding to the public key. 

The following signs relate to the terms indicated beside and are used within the description. 
A, B, Q D computer nodes 

20 p, q primes 

n product of p and q 

sk secret key being derived from p and q 

A first random limit 
v interval widths 
25 A> v exponent-interval description 
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/ exponent interval 
u, I security parameter 
e exponent value 
e ' random prime 
5 m message 

x' verification value 
H hash function 

QR n elements having a square root modulo n 

y'>h 9 x elements of QR n 
10 y computed signature root value 

y, y\ e signature value 
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A, x public values 

n 9 h, x 9 e',I public key value 

pk public key comprising public key value (n, A, x 9 e\ I) and 

exponent-interval description (A, v) 



u 



random bit-numbers 
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SUMMARY AND ADVANTAGES OF THE INVENTION 

Provided is an efficient scheme for generating a unique exponent or exponent value such that 
it is no longer necessary to generate a new prime for each use of them. 

The scheme uses integers drawn from a particular interval instead of primes Because 
choosing a random integer is much more efficient than choosing a prime at random the 
issuing of signatures or credentials in resulting schemes will be more efficient. 

The main observation that allows one to u 5C composites, i.e. non-primes, instead of primes as 
in the above mentioned scheme is that it is in fact sufficient for the schemes' security if each 
umque exponent has a unique prime factor that is sufficiendy large. 

In genera], at first a sufficiently large set of integers is determined such that all the integer, in 
the set have a unique prime factor. Once this set is specified, one choose, as unique exponent 
a random element from the set. If the set is sufficiently large, one will with high probability 
not select the same element twice. This is most efficient if the set is an interval. Below it is 
described how to o^termine intervals such that each integer in the interval has a unique prime 
15 factor. 

In accordance with a first aspect of the present invention, there is given a method for 
providing cryptographic keys usable in a network of connected computer nodes A B C D 
applying a signature scheme. The method executable by a first computer node A comprising 
the steps of: 
20 - generating a random secret key sk; 

- generating an exponent interval / having a first random limit A, wherein, with a probability 
close to certainty, each element of the exponent interval I has a unique prime factor that is 
larger than a given security parameter 

- providing a public key pk comprising an exponent-interval description A, v and a public key 
25 value n, h, x,e\J derived from the random secret key sk, 

such that the random secret key sk and a selected exponent value * from the exponent interval 
/ are usable for deriving a signature value y, y, e on a message m to be sent within the network 
to a second computer node B, C, D for verification. 
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The step of generating a random secret key sk can comprise the use of two primes p and q. 
The product of the two primes can then be part of the public key pk. As this approach is based 
on the hardness of factoring a secure cryptographic system can be achieved. 

In another approach the step of generating a random secret key sk can comprise selecting an 
integer value d which defines a class group G and selecting two elements g and Z of the class 
group G. As this approach is based on the hardness of computing roots in groups of unknown 
order, a more secure cryptographic system can thus be provided. The step of providing the 
public key pk can then comprise computing a modified public key value d, k, x, e\ I under use 
of the selected two elements g and 2 and the exponent interval /. This is further confirmed by 
the hardness of computing roots in groups of unknown order and thus leads to an even more 
secure cryptographic system. 



In accordance with a second aspect of the present invention, there is given a method for 
providing a signature value y, y ', e on a message m in a network of connected computer nodes 
A, B, C, D, the method executable by a first computer node A comprising the steps of: 
15 - selecting an exponent value e from an exponent interval /, wherein each element of the 
exponent interval / has, with a probability close to certainty, a unique prime factor that is 
larger than a given security parameter I; and 

- deriving the signature value y, y\ e from a provided secret key sk, the selected exponent 
value e, and the message m, the signature value y, y\ e being sendable within the network to a 
20 second computer node B, C, P for verification. 

The step of deriving the signature value y, y', e can further comprise a computation of the Mb 
root y of a value derived from the message m and the secret key sk using a cryptographic hash 
function H. The i is contemplated as the exponent value i. This allows the design of securer 
cryptographic systems. 

25 In accordance with a third aspect of the present invention, there is given a method for 
verifying a signature value y, y\ e on a message m in a network of connected computer nodes 
A, B, C, D, the method executable by a second computer B, C, D node comprising the steps 
of: 
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- receiving the signature value y, y e from a first computer node A; and 

- verifying whether an exponent value e is contained in an exponent interval /, wherein each 
element of the exponent interval / has, with a probability close to certainty, a unique prime 
factor that is larger than a given security parameter /, the signature value y, e is invalid if 
the exponent value e is not contained in the exponent interval /. 

The step of verifying can further comprise a computing step of raising a computed signature 
root value y to the power of the exponent value The computed signature root value y forms 
part of the signature value y, y\ e. 
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DESCRIPTION OF THE DRAWINGS 

Preferred embodiments of the invention are described in detail below, by way of example 
only, with reference to the following schematic drawings. 

FIG. 1 shows a typical network with multiple computer nodes. 

5 BIG* 2 shows a flow diagram according to a first aspect of the invention, 

FIG* 3 shows a flow diagram according to a second aspect of the invention. 

FIG* 4 shows a flow diagram according to a third aspect of the invention. 

The drawings are provided for illustrative purpose only and do not necessarily represent 
practical examples of the present invention to scale. 
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DESCRIPTION OF EMBODIMENTS 



Fig. 1 shows a typical network with multiple computer nodes A, B, C, D, where each node can 
also be contemplated as participating network device. More particularly, the figure shows an 
example of a common computer system 2, where a random number r is generated. It consists 
here of four computer nodes A, B, C, and D which are connected via communication lines 5 
to the network. Each computer node A, B, C, D may be any type of computer device known in 
the art from a computer on a chip or a wearable computer to a large computer system. The 
communication lines 5 can be any communication means commonly known to transmit data 
or messages from one computer node A, B, C, D to another. For instance, the communication 
lines 5 may be either single, bi-directional communication lines 5 between each pair of 
participating network devices A, B, C, D or one unidirectional line in each direction between 
each pair of computer nodes A, B, C, D. Such communication lines 5 are well known in the 
art. The common computer system 2 is shown to facilitate the description of the following 
random number generation protocol. 

15 The following describes in more detail how cryptographic keys sk, pk can be provided as well 
as a signature value y, y \ e on a message m is created. Further, the verification of the signature 
value y,y\e is shown in more detail. 
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Cryptographic keys 

With reference to Fig. 2, the generation of a secret key sk and a public key pk is now 
described. The secret key sk and the public key pk are contemplated as cryptographic keys sk, 
pk which are usable in a network of the connected computer nodes A, B, C, D which apply a 
signature scheme. In the following it is assumed that the first computer node A executes the 
following steps. At first, as indicated in box 20, a random secret key sk is generated. For that 
two primes p and q forming the secret key can be used, whereby the product of the two primes 
25 p and q is part of the public key pk. Then an exponent interval / is chosen that can be 
determined according to the description below, whereby the exponent interval / has a first 
random limit A, as indicated in box 22. With a probability close to certainty, each element of 
the exponent interval / has a unique prime factor that is larger than a given security parameter 
/. More precisely, let « be the product of two sufficiently large primes p and q, h and x two 
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elements from QR n and e' a random / + 1 bit prime. Let H be a hash function whose outputs 
have / bits. As indicated with box 24, the first computer node A performs some computations 
and selections in order to provide the public key pk as indicated with box 26. The public key 
pk finally comprises an exponent-interval description A, v and a public key value n, h, x, e\ I 
5 which is derived from the random secret key sk. As indicated within box 24, the first 
computer node A selects an exponent value e from the exponent interval / and a random prime 
<?', computes the product n of the primes p and q and derives from n the two public values h, x. 
Thereby the random secret key sk and the selected exponent value e are usable for deriving a 
signature value y, y \ e on a message m. This signature value y, y e can then be sent within the 
10 network 5 to a second computer node B, C, D for verification purposes. 

In a further embodiment, the generation of the random secret key sk comprises the selection of 
an integer value d which defines a class group G and the selection of two elements g and z of 
said class group G. Consequently, a modified public key value d, h, x, e\ I can be provided 
under use of the selected two elements g and z and the exponent interval /, while e' is chosen 
1 5 randomly and h y x are calculates as follows: 

h = g**I, X = Z**I . 

As this is based on the hardness of computing roots in groups of unknown order, a secure 
cryptographic system can be provided. 



20 



Fig. 3 shows a flow diagram for deriving the signature value y, y\ e that is sendable within the 
network to the second computer node B, C, D for verification. For the derivation the first 
computer node A performs a selection of an exponent value e from an exponent interval / as 
indicated with box 30, wherein each element of the exponent interval / has, with a probability 
close to certainty, a unique prime factor that is larger than a given security parameter /. The 
Signature value y,y\e is then derived, as indicated with box 34 and mathematically shown 
25 below, from the provided secret key p and q as indicated with box 3 1, the selected exponent 
value e, the message m as indicated with box 32, and part of the public key value n, h, x> e' as 
indicated with box 33. 
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In a further embodiment, the signature value y, y', e can be derived by computing the <?-th root 
y of a value derived from the message m, also referred to as computed signature root value y, 
and the secret key sk by using a cryptographic hash function H. 

Mathematically, to sign a message m, the signer, i.e. the first computer node A, chooses a 
random element y ' from Q&, or from G, in case of class groups, and an exponent value e from 
/, and computes a y such that 

y*'=x'h H W, 

that means the computed signature root value y can be determined as follows 

y = (xh H( *" fh ~ im y e . 

To verify a signature, one computes x' =y' e 'tr H( -" i > and checks that y e -xh H ^ and e € / 
holds. 

That means for verifying the signature value y, y', e on the message m one second computer 
node B, C, D receives the signature value y, y\ e, as indicated with box 40, from the first 
computer node A. The second computer node B, C, D verifies by using the provided part of 
the public key value n, ft, x, e' as indicated with box 33 whether or not the exponent value e is 
contained in the exponent interval / as indicated with box 44. Thereby each element of the 
exponent interval / should have, with a probability close to certainty, a unique prime factor 
that is larger than the given security parameter /. The signature value y, y\ e is invalid if the 
exponent value e is not contained in the exponent interval /. 

The check comprises computing y« which means that the computed signature root value y that 
is part of the signature value y, y', e is raised to the power of the exponent value e as shown in 
the equation above. 
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Choosing an Interval 

In the following is addressed how an exponent interval / can be chosen. The above scheme 
can be shown secure if the interval / contains only few integers that have either a distinct 
prime factor larger than a certain size / or two distinct prime-factors larger than 2 V (the 
5 integers that do not meet these conditions are called <%v>smooth) and no integer with the 
largest prime factor smaller than 2\ Therefore, in order to choose an interval / one need to 
evaluate the probabilities for that whether a randomly chosen interval meets this condition. 

Let n s and n 2 denote the biggest and second biggest prime factor of number n, respectively. 
Define the quantities 

!0 *(x>y) =#f0 <n<x: n t <TyJ and *ffx,y,z) =#{0 < n <Tx : n, <y, n 2 ^z, J. 

It can be shown that the probability that randomly chosen interval I = [A, A +2 V ] 7 contains 
more than 2"* integers that are ftvj-smooth i s at m ost 9fA, 2', 2 V ) 2** /A and that it contains 
no odd integer with a prime factor smalJer than 2 V is at most ¥fA, 2 V ) 2 y /A, provided that 
v<log(A)<v? holds. This now allows one to choose the A, Z, and v (and thereby the interval) 
15 such that these probabilities are small, i.e., such that / meets the required condition with 
sufficiently high probability. To evaluate the quantities ¥fx,y) and l Ifx,y,z) one can use 
bounds on them that are found in literature. 

Any disclosed embodiment may be combined with one or several of the other embodiments 
shown and/or described. This is also possible for one or more features of (the embodiments. 

20 The present invention can be realized in hardware, software, or a combination of hardware 
and software. Any kind of computer system - or other apparatus adapted for carrying out the 
method described herein - is suited. A typical combination of hardware and software could be 
a general puipose computer system with a computer program that, when being loaded and 
executed, controls the computer system such that it carries out the methods described herein. 

25 The present invention can also be embedded in a computer program product, which comprises 
all the features enabling the implementation of the methods described herein, and which - 
when loaded in a computer system - is able to carry out these methods. 
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Computer program means or computer program in the present context mean any expression 
in any language, code or notation, of a set obstructions intended to cause a system having an' 
information processing capability to perform a particular function either directly or after either 
or both of the following a) conversion to another language, code or notation; b) reproduction 



in a different material form. 
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CLAIMS 

1. A method for providing cryptographic keys (sk, pk) usable in a network of connected 
computer nodes (A, B, C, D) applying a signature scheme, the method executable by a 
first computer node (A) comprising the steps of: 
5 - generating a random secret key (sk); 

- generating an exponent interval (/) having a first random limit (A\ wherein, with a 
probability close to certainty, each clement of the exponent interval (I) has a unique prime 
factor that is larger than a given security parameter (I); 

- providing a public key (pk) comprising an exponent-interval description (A, v) and a 
10 public key value (n, h, x,e\J) derived from the random secret key (sk), 

such that the random secret key (sk) and a selected exponent value (*) from the exponent 
interval (7) are usable for deriving a signature value (y, y', e) on a message (m) to be sent 
within the network to a second computer node (B, C, D) for verification. 

15 2. The method according to claim 1, wherein the step of generating a random secret key (sk) 
comprises using two primes (p, q\ the product of which is part of the public key (pk). 

3. The method according to claim 1 , wherein the step of generating a random secret key (sk) 
comprises selecting an integer value (d) defining a class group (G) and selecting two 
elements (g, z) of the class group (G). 

20 4. The method according to claim 3, wherein the step of providing a public key (pk) 
comprises computing a modified public key value (d, h, x,e',I) under use of the selected 
two elements (g, z) and the exponent interval (i). 



CH920020054 



021 31.03.2003 14:22:3 



10 



-14- 

A method for providing a signature value (y, y>, e) on a message (m) in a network of 
connected computer nodes (A, B, C, D), the method executable by a first computer node 
(A) comprising the steps of: 

- selecting an exponent value (e) from an exponent interval (/), wherein each element of 
the exponent interval (7) has, with a probability close to certainty, a unique prime factor 
that is larger than a given security parameter (0; and 

- deriving the signature value (y, y\ e) from a provided secret key (sk), the selected 
exponent value (e), and the message (m), the signature value (y, y\ e) being sendable 
within the network to a second computer node (B, C, D) for verification. 



15 



6. The method according to claim 5, wherein the step of deriving the signature value (y, y\ 
e) further comprises a computation of the i-th root (y) of a value derived from the 
message (m) and the secret key (sk) using a cryptographic hash function (H), the i being 
the exponent value (f). 
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7. A method for verifying a signature value (y, y', e) on a message (m) in a network of 
connected computer nodes (A, B, C, D), the method executable by a second computer (B, 
C, D) node comprising the steps of: 

- receiving the signature value (y, y\ e) from a first computer node (A); and 

- verifying whether an exponent value (<?) is contained in an exponent interval (I), wherein 
each element of the exponent interval (I) has, with a probability close to certainty, a 
unique prime factor that is larger than a given security parameter (/), the signature value 
(y, y', e) is invalid if the exponent value (e) is not contained in the exponent interval (/). 

8. The method according to claim 7, wherein the step of verifying further comprises a 
25 computing step of raising a computed signature root value (y) that being part of the 

signature value (y, y\ e) to the power of the exponent value (*?). 



9. A computer program element comprising program code means for performing a method 
of any one of the claims 1 to 8 when said program is run on a computer. 
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10. A computer program product stored on a computer usable medium, comprising computer 
readable program means for causing a computer to perform a method according to anyone 
of the preceding claims 1 to 8. 

5 11. A computer device (A, B, C, D) comprising: 

a computer program product according to claim 9; and 

a processor for executing the computer program product when the computer program 
product is run on the computer device. 
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Abstract 



RANDOM NUMBER INSTEAD OF RANDOM PRIME 



The present invention relates to a method for providing cryptographic keys which are usable 
m a network of connected computer nodes applying a signature scheme. Further, the present 
mvention relates to a method for providing a signature value on a message in a network of 
connected computer nodes and a method for verifying the signature value on the message 



[Fig. 2] 



